News

The Equifax Breach One Year Later: 6 Action Items for Security Pros

The Equifax breach last September was the largest consumer breach in history. We talked to experts about lessons learned and steps companies can take to prevent and minimize future breaches.

2 of 7

1. Pay attention to patching and configuration management

Too often in security we are our own worst enemies. Most analysts agree that the Equifax breach could have been prevented or minimized if the company had instituted a solid patching system that would have identified a vulnerability in an Apache Struts application. While companies need to focus on encryption and do a better job at data management, Peter Firstbrook, a research vice president with Gartner who focuses on security, says setting up a consistent patch and configuration management program can prevent the vast majority of breaches. A ServiceNow study conducted by the Ponemon Institute found that 57% of breaches could have been prevented by an available patch.

GAO report - breach caused by a misconfigured device that monitored network traffic - and this device let encrypted data through and out. This misconfig was caused by one ----- ONE FOLKS ----- expired certificate. There, just one thing. Incredible. SANS INSTITUTE NEWSLETTER:

QUOTE

A report from the US government Accountability Office (GAO) on the Equifax breach found that the company had to look at the attackers' database queries to determine exactly what information had been compromised. (The breach affected more than 165 million people worldwide.) The report found that "while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected." The misconfiguration was due to an expired certificate.

The core problem was that it was easy for the attackers to obtain the credentials to access the databases. The Struts vulnerability was simply the unlocked bedroom window the theives used to enter the house. It could have been one of any number of access points. If the IDs and credentials for the database systems were properly protected, this would have never become news. There was initial focus on some poor scapegoat IT director who didn't patch in time. But I'll bet you a dollar on a doughnut that if he had tried, his application owners would have screamed, "We can't patch now! We have a major product release that day/week/month that can't be delayed!" These are the same application owners who think it's just fine to still be running their applications on obsolete operating systems, etc. Until this industry gets credential security management under control, everyone's just whistling past the graveyard worrying about patching a million vulnerabilities. Almost every breach boils down to easily obtained passwords to key data assets. It's still too easy for the bad guys. Heaven help the enterprise where the attacker is an insider.

I think the main need is for a change in attitudes. You have to decentralize the operation, but also have to understand what decentralization means. You have to assume that one of the major components of the system will be completely compromised. You have to decide how you can prevent a compromised component from damaging the integrity of the whole system. Being able to convince upper management that the system is secure is not enough, it actually must be secure. Upper management can't rely on people telling them the truth, especially if it is felt that telling the truth will get you fired. If the people under you say that making the system secure will cost money, you have to be willing to spend money. I had a manager that he didn't like working with experienced people because they kept telling him about things that needed to be fixed.

Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...

Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...